image of breaking badness
Breaking Badness
Breaking Badness

Breaking Badness Cybersecurity Podcast - 192. TLD-fense

Coming up this week on Breaking Badness: When Domain Names Collide, Never Forget A Face, and Gold, Guidance, and Grievances.


When Domain Names Collide

  • Researchers find that new top level domains (TLDs) have opened a can of worms affecting domain names intended exclusively for internal company network use
  • Brian Krebs shares the idea of “namespace collision in this article”
    • Namespace collision is just a fancy word for two or more things having the same name in a context where a specific type of name is expected
    • The example Tim provides in the episode is about how Kali experiences this in her real life with two Seans: Marriage Sean and Work Sean
      • The namespace is “first names of people in Kali’s life”
  • These internal domains were created when these TLDs didn’t exist. Would it have been a good practice to make adjustments as soon as companies realized the new TLDs were created?
    • Absolutely, but we’re not here to judge. We know everyone has a lot going on all the time
    • Some of these new gTLDs have just been a bad idea, period. (.zip, we’re looking at you)
    • But going back in time, in reality network admins had a chance to realize that these kinds of things could happen back when Windows shifted from its old WINS service for resolving names to IP addresses, to DNS, which Active Directory uses
      • Tim remembers at the time, many in the networking world were happy about this change because WINS was a bit of a hassle and DNS was at least a well-understood protocol. BUT….we should have seen this coming
  • What did researcher Philippe Caturegli share with Krebs?
    • When you want to know about what domains might exist, you can certainly turn to passive DNS…
    • But another interesting way is via certificates, and that’s the route he went. He’s been scanning the open Internet for self-signed certificates referencing domains in a variety of TLDs likely to appeal to businesses, including .ad, .associates,  .digital, .domains, .email .ms, .name, .network, .security, .services, .site, and .zone, among many others
    • He’s found at least 9k domains
  • Why does Krebs warn that wpad.ad is perhaps the most dangerous domain in Caturegli’s stable?
    • First of all, Caturegli owns this domain, and not some bad actor, so that’s the good news 
    • But why does it matter? Well, WPAD stands for Web Proxy Auto Discovery Protocol and this is something that’s been in Windows basically forever
    • It’s a on by default feature and what it’s doing is helping it automatically find and download any proxy settings that are required by the local network
    • Local networks often configure proxies for various kinds of traffic on that network and the problem here is that if you were an admin that was using .ad for your internal network structure and your Windows admin, of course that’s the context we’re talking about here then there’s every possibility that you might have configured your network to have your hosts talk to wpad.ad because that’s what you’re using internally
    • Well guess what? In many, many contexts, that traffic is now going straight to his WPAD. It’s not exactly a honeypot because he’s not trying to find anything bad, but still…
    • It’s his sensor, shall we call it, and so he’s seeing thousands and thousands of devices, all over the world, that are trying to, get to wpad.ad
    • In one week, he said he saw over 140,000 hits from hosts around the world. And so, that’s just a great example of where this name collision, shall we say, really hurts
  • Correcting this problem can be time-consuming, costly, and disruptive to normal workflows, but then how do we mitigate it?
    • This is something that can’t be left alone – you unfortunately can’t put your head in the sand and pretend you didn’t read this story (or listen to this podcast!)
      • At least not without setting yourself up with some bigger problems down the road that you really don’t want to have when malicious actors have access to all kinds of internal data from your network
    • If you’re using .ad as your internal TLD or any others, go make sure that’s not an actual routable generic TLD because if it is, and you don’t own all the hostnames that you care about in that TLD, then you’re going to have a problem
    • So yes, you need to do something about this and the answer will depend on your network architecture and, which of the, sort of TLDs you use and whatnot
    • There’s no one size fits all action here, except be aware of this and take action as appropriate
      • But you know the right answer in most cases is, register a domain
    • And by the way, also register the typo variance of that domain because your users will fat finger it sometimes
    • Then use that registered domain. Don’t resolve it out to the world, but use that registered domain and subdomains thereof internally for all those internal resources that your users need to get to 
    • Then you can have access control on the authoritative DNS so that not everybody in the world can just go and resolve all of those subdomains on that routable TLD
    • Part of the challenge here is that if you knew that all of your protected devices would always talk to the same DNS server and that was a DNS server that was inside your environment and not out in the world, then the scope of this problem would be smaller, but that’s not that’s not the way devices work
    • You can’t really control that, so you have to therefore use a domain that you truly do control as your domain for hosting your internal resources
    • This reiterates the importance for any serious enterprise to really control their own destiny by running their own DNS

Never Forget A Face

  • Facial recognition is being used more in the entertainment arena like sporting events, but protesters are calling foul
  • The argument from stadiums using facial recognition is that it makes lines shorter and therefore, the experience more pleasant for sports fans – is there a case for it?
    • Nobody likes long lines at the stadium to get into a venue. Daniel thinks there are some venues that do it really well and you barely notice
    • The argument here is that this is all in the name of security – you have to verify yourself that you are who you are and you own the tickets and maybe there are some security concerns behind that, so that argument in Daniel’s opinion is ok
    • These stadiums want you to download an app, take a selfie, and prove that you are you through a verification mechanism, and then you get a special security lane in order to reward you for going through these steps 
    • We have not read the fine print, but it’s possible they do a quick background check on you to ensure you’re not on a watch list or something like that 
    • Then you’re afforded the privilege of accessing a fast track lane
    • But the way this works is you walk up and then you either look at a camera or there’s a camera and you don’t even notice. It scans your face, does a facial recognition image match, and if that matches the profile that you’ve created and that they verified, then you’re good to go and you walk right through rather than having to open your bag and have everything searched 
  • Protesters are saying that the practice fuels “mission creep”
    • Daniel would say that the mission creep is to make the case that just because somebody goes ahead with registering this profile and providing all of that information voluntarily makes things more secure and the incentive of saying you don’t don’t have to wait in line as much is sort of the the carrot and the stick
    • Daniel is thinking, “what are they going to do with this data?”
      • If I can get hundreds of thousands of people to register their face and agree to tie it to their identity, this is worth money
      • Daniel is virtually certain that somewhere in the fine print, it says they can share this data with “an appropriate third party” or you’ll get added to a compendium of facial recognition databases that then third parties can buy, and you have no idea where it’s going
      • Then you walk down the street in a major metropolitan area, and the camera will see you, and it will know that it’s you
    • This actually came up a year or so ago at Madison Square Garden, but they took it a step further
      • They would ban lawyers that were in litigation against the police department from entry saying, “You can’t be here. You are suing us.”
    • It all starts out seemingly harmless and you get to go through a line faster
      • Daniel has TSA Precheck and various other things, so he’s not completely opposed 
  • What are some alternatives? If we want to make lines quicker without facial recognition, what can we do?
    • Stadiums with wide lanes and lots of entrances helps
    • More employees working to staff those lines also helps
    • Daniel’s suggestion is fingerprinting – people get worried about fingerprints being taken because it’s typically used in a law enforcement context, but he’s been fingerprinted for various clearances and it’s actually a lot harder to do something with fingerprints (for third parties)
      • It’s relatively low stakes and less invasive than using your face

This Week’s Hoodie/Goodie Scale

When Domain Names Collide

[Tim]:  4/10 Hoodies
[Daniel]:  3/10 Hoodies

Never Forget a Face

[Tim]:  9/10 Hoodies
[Daniel]:  9/10 Hoodies


That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!